add pki functions and token creation (#32)

nefeldt · web-flow · commit acaae8f485c2 · 2025-08-06T16:24:38.000+02:00
Signed-off-by: Noah Feldt &lt;n.feldt@mittwald.de&gt;
diff --git a/authentication.go b/authentication.go
@@ -0,0 +1,72 @@
+package vault
+
+type Authentication struct {
+	Service
+}
+
+func (c *Client) Authentication() *Authentication {
+	return c.AuthenticationWithMountPoint("auth")
+}
+
+func (c *Client) AuthenticationWithMountPoint(mountPoint string) *Authentication {
+	return &Authentication{
+		Service: Service{
+			client:     c,
+			MountPoint: mountPoint,
+		},
+	}
+}
+
+type AuthCreateTokenRequest struct {
+	RoleName        string                 `json:"role_name,omitempty"`
+	ID              string                 `json:"id,omitempty"`
+	Policies        []string               `json:"policies,omitempty"`
+	Meta            map[string]interface{} `json:"meta,omitempty"`
+	NoParent        bool                   `json:"no_parent,omitempty"`
+	NoDefaultPolicy bool                   `json:"no_default_policy,omitempty"`
+	Renewable       bool                   `json:"renewable,omitempty"`
+	TTL             int                    `json:"ttl,omitempty"`
+	Type            string                 `json:"type,omitempty"`
+	EntityAlias     string                 `json:"entity_alias,omitempty"`
+}
+
+type AuthCreateTokenResponse struct {
+	RequestID     string      `json:"request_id"`
+	LeaseID       string      `json:"lease_id"`
+	Renewable     bool        `json:"renewable"`
+	LeaseDuration int         `json:"lease_duration"`
+	Data          interface{} `json:"data"`
+	WrapInfo      interface{} `json:"wrap_info"`
+	Warnings      []string    `json:"warnings"`
+	Auth          struct {
+		ClientToken   string      `json:"client_token"`
+		Accessor      string      `json:"accessor"`
+		Policies      []string    `json:"policies"`
+		TokenPolicies []string    `json:"token_policies"`
+		Metadata      interface{} `json:"metadata"`
+		LeaseDuration int         `json:"lease_duration"`
+		Renewable     bool        `json:"renewable"`
+		EntityID      string      `json:"entity_id"`
+		TokenType     string      `json:"token_type"`
+		Orphan        bool        `json:"orphan"`
+		NumUses       int         `json:"num_uses"`
+	} `json:"auth"`
+	MountType string `json:"mount_type"`
+}
+
+func (k *Authentication) CreateOrphanToken(pkiopts AuthCreateTokenRequest) (*AuthCreateTokenResponse, error) {
+	response := &AuthCreateTokenResponse{}
+	err := k.client.Write(
+		[]string{
+			"v1",
+			k.MountPoint,
+			"token",
+			"create-orphan",
+		}, pkiopts, response, nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return response, nil
+}
diff --git a/pki.go b/pki.go
@@ -56,7 +56,7 @@ func (k *PKI) Issue(role string, pkiopts PKIIssueOptions) (*PKIIssueResponse, er
 
 type PKIGenerateIntermediateOptions struct {
 	CommonName       string `json:"common_name"`
-	KeyName          string `json:"key_name"`
+	KeyName          string `json:"key_name,omitempty"`
 	AltNames         string `json:"alt_names,omitempty"`
 	Format           string `json:"format,omitempty"`
 	PrivateKeyFormat string `json:"private_key_format,omitempty"`
@@ -100,6 +100,7 @@ type PKISignIntermediateOptions struct {
 	Format       string `json:"format,omitempty"`
 	KeyUsage     string `json:"key_usage,omitempty"`
 	UseCSRValues bool   `json:"use_csr_values,omitempty"`
+	NotAfter     string `json:"not_after,omitempty"`
 }
 
 type PKISignIntermediateResponse struct {
@@ -117,13 +118,111 @@ type PKISignIntermediateResponse struct {
 
 func (k *PKI) SignIntermediate(issuerRef string, pkiopts PKISignIntermediateOptions) (*PKISignIntermediateResponse, error) {
 	response := &PKISignIntermediateResponse{}
+	path := []string{"v1", k.MountPoint}
+
+	if issuerRef == "" {
+		path = append(path, "root", "sign-intermediate")
+	} else {
+		path = append(path, "issuer", issuerRef, "sign-intermediate")
+	}
+
+	err := k.client.Write(path, pkiopts, response, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return response, nil
+}
+
+type PKIImportCABundleRequest struct {
+	PemBundle string `json:"pem_bundle"`
+}
+type PKIImportCABundleResponse struct {
+	Data struct {
+		ImportedIssuers []string          `json:"imported_issuers"`
+		ImportedKeys    []string          `json:"imported_keys"`
+		Mapping         map[string]string `json:"mapping"`
+		ExistingIssuers []string          `json:"existing_issuers"`
+		ExistingKeys    []string          `json:"existing_keys"`
+	} `json:"data"`
+}
+
+func (k *PKI) ImportCaOrPrivateKey(pkiopts PKIImportCABundleRequest) (*PKIImportCABundleResponse, error) {
+	response := &PKIImportCABundleResponse{}
+	err := k.client.Write(
+		[]string{
+			"v1",
+			k.MountPoint,
+			"issuers",
+			"import",
+			"bundle",
+		}, pkiopts, response, nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return response, nil
+}
+
+type PKIListIssuersResponse struct {
+	Data struct {
+		KeyInfo map[string]struct {
+			IssuerName string `json:"issuer_name"`
+		} `json:"key_info"`
+		Keys []string `json:"keys"`
+	} `json:"data"`
+}
+
+func (k *PKI) ListIssuers() (*PKIListIssuersResponse, error) {
+	response := &PKIListIssuersResponse{}
+	err := k.client.List(
+		[]string{
+			"v1",
+			k.MountPoint,
+			"issuers",
+		}, nil, response, nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return response, nil
+}
+
+type PKIUpdateIssuerRequest struct {
+	IssuerName           string   `json:"issuer_name"`
+	LeafNotAfterBehavior string   `json:"leaf_not_after_behavior,omitempty"`
+	ManualChain          []string `json:"manual_chain,omitempty"`
+	Usage                []string `json:"usage,omitempty"`
+}
+
+type PKIUpdateIssuerResponse struct {
+	Data struct {
+		CACertificateChain           []string    `json:"ca_chain"`
+		Certificate                  string      `json:"certificate"`
+		IssuerID                     string      `json:"issuer_id"`
+		IssuerName                   string      `json:"issuer_name"`
+		KeyID                        string      `json:"key_id"`
+		LeafNotAfterBehavior         string      `json:"leaf_not_after_behavior"`
+		ManualChain                  interface{} `json:"manual_chain"`
+		Usage                        string      `json:"usage"`
+		RevocationSignatureAlgorithm string      `json:"revocation_signature_algorithm"`
+		IssuingCertificates          []string    `json:"issuing_certificates"`
+		CRLDistributionPoints        []string    `json:"crl_distribution_points"`
+		DeltaCRLDistributionPoints   []string    `json:"delta_crl_distribution_points"`
+		OCSPServers                  []string    `json:"ocsp_servers"`
+	} `json:"data"`
+}
+
+func (k *PKI) UpdateIssuer(issuerName string, pkiopts PKIUpdateIssuerRequest) (*PKIUpdateIssuerResponse, error) {
+	response := &PKIUpdateIssuerResponse{}
 	err := k.client.Write(
 		[]string{
 			"v1",
 			k.MountPoint,
 			"issuer",
-			issuerRef,
-			"sign-intermediate",
+			issuerName,
 		}, pkiopts, response, nil,
 	)
 	if err != nil {
@@ -132,3 +231,59 @@ func (k *PKI) SignIntermediate(issuerRef string, pkiopts PKISignIntermediateOpti
 
 	return response, nil
 }
+
+type PKIReadIssuerResponse struct {
+	Data struct {
+		CACertificateChain []string `json:"ca_chain"`
+		Certificate        string   `json:"certificate"`
+		RevocationTime     int      `json:"revocation_time"`
+	} `json:"data"`
+}
+
+func (k *PKI) ReadIssuer(issuerName string) (*PKIReadIssuerResponse, error) {
+	response := &PKIReadIssuerResponse{}
+	err := k.client.Read(
+		[]string{
+			"v1",
+			k.MountPoint,
+			"issuer",
+			issuerName,
+			"json",
+		}, response, nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return response, nil
+}
+
+type PKIRevokeIssuerResponse struct {
+	CAChain              []string    `json:"ca_chain"`
+	Certificate          string      `json:"certificate"`
+	IssuerID             string      `json:"issuer_id"`
+	IssuerName           string      "json:\"issuer_name\""
+	KeyID                string      `json:"key_id"`
+	LeafNotAfterBehavior string      `json:"leaf_not_after_behavior"`
+	ManualChain          interface{} `json:"manual_chain"`
+	Usage                string      `json:"usage"`
+	RevocationTime       int64       `json:"revocation_time"`
+}
+
+func (k *PKI) RevokeIssuer(issuerName string) (*PKIRevokeIssuerResponse, error) {
+	response := &PKIRevokeIssuerResponse{}
+	err := k.client.Write(
+		[]string{
+			"v1",
+			k.MountPoint,
+			"issuer",
+			issuerName,
+			"revoke",
+		}, nil, response, nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return response, nil
+}
